Only spawn init processes when using PID NS

PiperOrigin-RevId: 239169620
Change-Id: I9f26cfab90189a1baa5b87a700ce892cf0c95a89
This commit is contained in:
Kevin Hamacher 2019-03-19 05:14:08 -07:00 committed by Copybara-Service
parent 7ecdd2f8fc
commit 5d216fb191
2 changed files with 10 additions and 11 deletions

View File

@ -153,13 +153,12 @@ pid_t Executor::StartSubProcess(int32_t clone_flags, const Namespace* ns,
pid_t sandboxee_pid = fork_client_->SendRequest( pid_t sandboxee_pid = fork_client_->SendRequest(
request, exec_fd_, client_comms_fd_, ns_fd, &init_pid); request, exec_fd_, client_comms_fd_, ns_fd, &init_pid);
// init_pid = 0 means that we're executing the libunwind sandbox and don't
// need an init process.
// TODO(hamacher): This is also the case for spawning the custom forksever
// (not spawning children from the custom forkserver), so
// we should clean it up.
if (init_pid == -1) { if (init_pid == -1) {
LOG(ERROR) << "Could not obtain init PID"; LOG(ERROR) << "Could not obtain init PID";
} else if (init_pid == 0 && request.clone_flags() & CLONE_NEWPID) {
LOG(FATAL)
<< "No init process was spawned even though a PID NS was created, "
<< "potential logic bug";
} else if (init_pid > 0) { } else if (init_pid > 0) {
if (init_pid_out) { if (init_pid_out) {
*init_pid_out = init_pid; *init_pid_out = init_pid;

View File

@ -255,9 +255,8 @@ void ForkServer::LaunchChild(const ForkRequest& request, int execve_fd,
SAPI_RAW_CHECK(cap_set_proc(caps) == 0, "while dropping capabilities"); SAPI_RAW_CHECK(cap_set_proc(caps) == 0, "while dropping capabilities");
cap_free(caps); cap_free(caps);
// The unwind sandbox is not running in a PID namespace and doesn't require // A custom init process is only needed if a new PID NS is created.
// an init process, everything else does. if (request.clone_flags() & CLONE_NEWPID) {
if (request.mode() != FORKSERVER_FORK_JOIN_SANDBOX_UNWIND) {
RunInitProcess(signaling_fd, open_fds); RunInitProcess(signaling_fd, open_fds);
} }
if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX || if (request.mode() == FORKSERVER_FORK_EXECVE_SANDBOX ||
@ -392,7 +391,7 @@ pid_t ForkServer::ServeRequest() const {
fd_closer1.Close(); fd_closer1.Close();
if (fork_request.mode() != FORKSERVER_FORK_JOIN_SANDBOX_UNWIND) { if (fork_request.clone_flags() & CLONE_NEWPID) {
union { union {
struct cmsghdr cmh; struct cmsghdr cmh;
char ctrl[CMSG_SPACE(sizeof(struct ucred))]; char ctrl[CMSG_SPACE(sizeof(struct ucred))];
@ -414,8 +413,8 @@ pid_t ForkServer::ServeRequest() const {
// previously forked. // previously forked.
init_pid = sandboxee_pid; init_pid = sandboxee_pid;
// And the actual sandboxee will be forked from the init process, so we need // And the actual sandboxee will be forked from the init process, so we
// to receive the actual PID. // need to receive the actual PID.
struct cmsghdr* cmsgp = nullptr; struct cmsghdr* cmsgp = nullptr;
if (TEMP_FAILURE_RETRY(recvmsg(fd_closer0.get(), &msgh, MSG_WAITALL)) <= if (TEMP_FAILURE_RETRY(recvmsg(fd_closer0.get(), &msgh, MSG_WAITALL)) <=
0 || 0 ||
@ -431,6 +430,7 @@ pid_t ForkServer::ServeRequest() const {
sandboxee_pid = ucredp->pid; sandboxee_pid = ucredp->pid;
} }
} }
// Parent. // Parent.
close(comms_fd); close(comms_fd);
if (exec_fd >= 0) { if (exec_fd >= 0) {